Dot11 Guru

802.11, Design, random ramble

How Skype changed how we think about WiFi – CWNE Essay 2

 

For years we had the same architecture for our wireless network.  For our mobile devices, a foreign WLC was anchored to a DMZ WLC via a mobility tunnel, and traffic sent directly to the internet.  This was a design that worked for us for a long time until Skype turned mission critical. 

 

Although the solution still works, we found the additional latency and overhead from the EOIP tunnel to cause instability in the application.  This along with issues with QoS tags on the wire meant that we were required to re-architect this solution, piloting the solution in our top 15 sites globally first. 

 

The first step was to ensure the wireless configuration was optimal.  Following the many VoWiFi best practice guides, I started to compile our own document for internal use.  This ensured that we enabled technologies such as WMM, 802.11r, FastLane, where required, and that any new Wireless deployment met a series of requirements, RSSI 1st and 2nd, SNR, Minimum mandatory data rates, CCI, enforcing maximum clients to a radio.  This document is now used globally to design our wireless networks. 

 

Before implementing this into any of the sites, I spent time in our lab ensuring WMM was tagging the frames correctly, and that they received the correct DSCP tag when entering the LAN.  I also tested our new AVC policies to make sure corrections were made if mistakes were found. 

The next step was to re-architect the existing mobile network infrastructure.  We decided to utilize firewalls already on the site, and send all wireless traffic from the WLC through an un-routed VLAN to the firewall, where it would meet a corporate internet link with the appropriate SLA. 

 

We also took the opportunity to route our guest internet through the same method, The foreign controller would redirect users to our captive portal served by Cisco ISE.  Once authenticated they would be sent to a best effort ADSL link behind the same firewall. 

The next step was to re-evaluate the authentication methods for this network.  We relied on WPA2 Enterprise using MSCHAPv2, using Microsoft NPS servers.  The mandate was to provide a network that prevented people from joining with untrusted devices.  Thankfully, our security team had implemented our own PKI in the past year, and we were able to utilize this for certificatebased authentication.   

 

Certificates are pushed to each device using our mobile device management platform, AirWatch.  We used Cisco ISE as our authentication servers, which I build in a distributed deployment across the globe.  Certificate revocation is handled through the OCSP protocol.  The authentication and revocation flow was documented through analysis in our lab, and through research during my CWSP pursuit.  The final decision was to deploy an EAP-TLS solution. 

 

This move pushes us in the right direction for our other networks, offering us the potential to minimize the amount of SSIDs used in the organization, using CoA to direct our clients to the correct VLAN and apply appropriate ACLs.  Whilst testing this technology I noticed that devices were not being profiled straight away, and were hitting the deny rule.  This poses a potential challenge for the future, which requires more research.  During this project, it was not a mandatory requirement to profile the device.  

Share this:

Leave a Reply